A new service called "Enterprise State Roaming" from Microsoft, now available for preview testing, promises greater organizational control over roamed Windows 10 OS settings and application-state data for enterprises using Azure Active Directory (AD).

The preview is available only in "supported U.S. and Europe regions" right now, Microsoft said in an announcement yesterday, though the company plans a future global rollout.

The Enterprise State Roaming service requires having an Azure Active Directory Premium subscription. In addition, Windows 10 version 1511 ("build 10586 or greater") is required.

To use Enterprise State Roaming, the Windows 10 devices must be joined to Azure AD. Alternatively, they can be joined to a local AD instance that has "automatic registration to Azure AD," Microsoft explained, in its announcement.

This sort of setup makes it possible to address some of the security, compliance and management needs that organizations may have when controlling Windows 10 devices. For instance, the service comes with a subset of the Azure Rights Management Service (RMS) that's been "restricted for Enterprise State Roaming use," Microsoft's announcement explained. Azure RMS is Microsoft's information protection service that works across various mobile devices. Typically, Azure RMS is used to do things like restrict access to documents in e-mails. In the case of the Enterprise State Roaming service, Azure RMS is used to automatically encrypt data "before leaving the user's Windows 10 device."

The Enterprise State Roaming service will store settings data in Microsoft's datacenters. The data are "encrypted at rest." There's also some assurance for organizations needing to meet data sovereignty compliance requirements. For instance, the data will get "stored in an Azure region based on the country associated with the Azure AD directory," Microsoft explained. That's an attempt to address European Union criteria for data storage.

IT pros can set up the Enterprise State Roaming service for Windows 10 clients using the Azure Admin Portal. After that's done, "Azure AD will automatically start syncing settings through the Azure cloud using enterprise accounts," Microsoft explained. IT pros can choose which settings to roam.

Microsoft already has a consumer "settings sync" capability for Windows 8/8.1 clients, which is dependent on the use of its consumer OneDrive storage service and the use of a Microsoft account for sign-in. However, this consumer sync approach doesn't have the same protections as the Enterprise State Roaming service.

The same Windows 10 device can be used for both personal and business use when using the Enterprise State Roaming service. For instance, it's possible add a Microsoft account to an Azure AD-joined Windows 10 client as a secondary account. However, in such cases, "the OS settings always roam with the primary account." Application data will get stored based on how the app was acquired -- that is, as a consumer app (in OneDrive) or as a business app (in Microsoft's datacenters).

It's not clear yet when the new Enterprise State Roaming service will reach "general availability" commercial release.